Bug#4190: serious security hole in libc (resolver)

To: david@elo.ods.com (David Engel)
Cc: 4190@bugs.debian.org
Subject: Bug#4190: serious security hole in libc (resolver)
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 29 Aug 1996 22:49:07 +0200 (MET DST)
Message-id: <[🔎] 199608292049.WAA12807@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4190@bugs.debian.org
In-reply-to: <[🔎] m0uwD8B-000Bj5C@elo.ods.com> from "David Engel" at Aug 29, 96 02:51:59 pm

David Engel wrote:
> About the best I can do, without further guidance, is make libc not
> echo the problem lines to stderr.  Is that acceptable?

I'm not sure.  Someone could still read special files as root
(they would not see the contents, but merely reading them might
sometimes cause troubles too, if reading changes the state of
the device - as is the case with tapes, for example).

My suggestion (not tested, but it is rather simple) - replace
all occurrences of getenv() in the resolver with safe_getenv(),
implemented like this:

char *
safe_getenv(const char *name)
{
	if (geteuid() != getuid() || getegid() != getgid())
		return NULL;
	return getenv(name);
}

This assumes that telnetd will only pass known safe environment
variables to login, as suggested in another bug report against
netstd (I just got a response that the next netstd will be OK).
In the more paranoid version, safe_getenv() could simply always
return NULL.  Not all of the environment variables used by the
resolver might be dangerous - but I think it is better to err on
the safe side here...

Marek

Reply to:

References:
- Bug#4190: Bug4190: serious security hole in libc (resolver)
  - From: david@elo.ods.com (David Engel)

Prev by Date: Bug#4339: no free pine package available
Next by Date: Bug#4334: squid should not run as root by default
Previous by thread: Bug#4190: Bug4190: serious security hole in libc (resolver)
Next by thread: Bug#4333: telnetd should be more paranoid about environment
Index(es):
- Date
- Thread